b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n    PERFORMANCE INDICATOR AUDIT:\n  MANAGEMENT INFORMATION SYSTEMS\n     AND MAINFRAME PROTECTION\n\n\n   September 2006   A-15-06-16112\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n      Conduct and supervise independent and objective audits and\n      investigations relating to agency programs and operations.\n      Promote economy, effectiveness, and efficiency within the agency.\n      Prevent and detect fraud, waste, and abuse in agency programs and\n      operations.\n      Review and make recommendations regarding existing and proposed\n      legislation and regulations relating to agency programs and operations.\n      Keep the agency head and the Congress fully and currently informed of\n      problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n      Independence to determine what reviews to perform.\n      Access to all information necessary for the reviews.\n      Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                     SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:   September 18, 2006                                                            Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Performance Indicator Audit: Management Information Systems and Mainframe\n        Protection (A-15-06-16112)\n\n\n        We contracted with PricewaterhouseCoopers, LLP (PwC) to evaluate 15 of the Social\n        Security Administration\xe2\x80\x99s performance indicators established to comply with the\n        Government Performance and Results Act. The attached final report presents the\n        results of three of the performance indicators PwC reviewed. For the performance\n        indicators included in this audit, PwC\xe2\x80\x99s objectives were to:\n           \xe2\x80\xa2   Assess the effectiveness of internal controls and test critical controls over data\n               generation, calculation, and reporting processes for the specific performance\n               indicator.\n           \xe2\x80\xa2   Assess the overall reliability of the performance indicator\xe2\x80\x99s computer processed\n               data. Data are reliable when they are complete, accurate, consistent and are not\n               subject to inappropriate alteration.\n           \xe2\x80\xa2   Test the accuracy of results presented and disclosed in the Fiscal Year 2005\n               Performance and Accountability Report.\n           \xe2\x80\xa2   Assess if the performance indicator provides a meaningful measurement of the\n               program it measures and the achievement of its stated objective.\n\n        This report contains the results of the audit for the following indicators:\n\n           \xe2\x80\xa2   Enhance efforts to improve financial performance using Managerial Cost\n               Accountability System.\n           \xe2\x80\xa2   Improve workload information using Social Security Unified Measurement\n               System.\n           \xe2\x80\xa2   Maintain zero outside infiltrations of SSA\'s programmatic mainframes.\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\nPlease provide within 60 days a corrective action plan that addresses each\nrecommendation. If you wish to discuss the final report, please call me or have your\nstaff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at\n(410) 965-9700.\n\n\n\n\n                                               S\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr\n\nAttachment\n\x0cMEMORANDUM\n\nDate:   September 6, 2006\n\nTo:     Inspector General\n\nFrom:   PricewaterhouseCoopers, LLP\n\nSubject: Performance Indicator Audit: Management Information Systems and Mainframe\n        Protection (A-15-06-16112)\n\n\nOBJECTIVE\nThe Government Performance and Results Act (GPRA)1 of 1993 requires the Social\nSecurity Administration (SSA) to develop performance indicators that assess the\nrelevant service levels and outcomes of each program activity.2 GPRA also calls for a\ndescription of the means employed to verify and validate the measured values used to\nreport on program performance.3\n\nOur audit was conducted in accordance with generally accepted government auditing\nstandards for performance audits. For the performance indicators included in this audit,\nour objectives were to:\n\n        1. Assess the effectiveness of internal controls and test critical controls over\n           data generation, calculation, and reporting processes for the specific\n           performance indicator.\n\n        2. Assess the overall reliability of the performance indicator\xe2\x80\x99s computer\n           processed data. Data are reliable when they are complete, accurate,\n           consistent and are not subject to inappropriate alteration.4\n\n        3. Test the accuracy of results presented and disclosed in the Fiscal Year (FY)\n           2005 Performance and Accountability Report (PAR).\n\n        4. Assess if the performance indicator provides a meaningful measurement of\n           the program it measures and the achievement of its stated objective.\n\n\n\n\n1\n  Public Law Number 103-62, 107 Stat. 285 (codified as amended in scattered sections of 5 United States\nCode (U.S.C.), 31 U.S.C. and 39 U.S.C.).\n2\n  31 U.S.C. \xc2\xa7 1115(a)(4).\n3\n  31 U.S.C. \xc2\xa7 1115(a)(6).\n4\n  GAO-03-273G, Assessing Reliability of Computer Processed Data, October 2002, p. 3.\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)                          1\n\x0cBACKGROUND\nWe audited the following performance indicators as stated in the SSA FY 2005 PAR:\n\n       Performance Indicator               FY 2005 Goal                 FY 2005 Actual\n                                                                       Reported Results\n    Enhance efforts to improve\n    financial performance using\n                                                 15%                           5%\n    Managerial Cost Accountability\n    System (MCAS).5\n    Improve workload information\n    using Social Security Unified\n                                                 46%                          42%\n    Measurement System\n    (SUMS).6\n    Maintain zero outside\n    infiltrations of SSA\'s                  0 infiltrations               0 infiltrations\n    programmatic mainframes.7\n\nMCAS and SUMS Projects\nSSA is developing two new systems to enhance the monitoring and reporting of\nfinancial and performance data. MCAS and SUMS will be a key enabler to allow SSA to\nmonitor and report progress toward achieving its strategic goals and objectives and\ntracking resource expenditures.8\n\nSSA Information Systems\nSSA employees process a tremendous amount of sensitive personal data through the\nSSA mainframe applications on a daily basis. To ensure the integrity and security of\nthis data, SSA has invested heavily in the development and implementation of multiple\nlayers of electronic security. As a result, SSA management has implemented numerous\nintrusion detection and prevention controls to identify and address threats to the SSA\nsystems. SSA management continuously monitors the security of the SSA mainframe\nenvironment, and the networks that surrounds it.\n\nRESULTS OF REVIEW\nWe did not identify any significant findings related to the internal controls, data reliability,\nmeaningfulness, accuracy of presentation, or disclosure of the information related to the\nindicators "Enhance efforts to improve financial performance using Managerial Cost\nAccountability System (MCAS)" and "Improve workload information using Social\nSecurity Unified Measurement System (SUMS)." We identified findings related to\n\n\n5\n  SSA, PAR FY 2005 p. 99.\n6\n  Id. p. 84.\n7\n  Id. p. 98.\n8\n  Id. pp. 35 and 42.\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)                  2\n\x0cinternal controls, meaningfulness, and accuracy of presentation and disclosure of the\ninformation contained in the PAR for the indicator "Maintain zero outside infiltrations of\nSSA\'s programmatic mainframes."\n\nEnhance efforts to improve financial performance using Managerial Cost\nAccountability System (MCAS)\n\nIndicator Background\n\n           \xe2\x80\x9cMCAS focuses on critical performance and financial information needed by\n           managers and employees, and promotes performance accountability for Social\n           Security programs. As stewards of the Social Security Trust Fund, SSA must\n           also model appropriate information management processes to ensure\n           accountability for workloads. The Agency\xe2\x80\x99s MCAS includes a number of projects\n           designed to update the cost analysis system, reporting systems, workload\n           measurement systems, and system access. The integration of financial and\n           performance management systems will allow the Agency to routinely assess\n           performance and financial information in order for local managers to make more\n           timely and efficient day-to-day decisions."9\n\n\nPerformance Indicator Calculation\n\n\n\n                                           A methodology which weights individual\n                                     =     projects to create a combined percentage is\n           Performance %\n                                           used to track the overall completion of this\n                                           initiative.10\n\n\nThe SUMS/MCAS project plan tracking and releases as reported to the SUMS/MCAS\nExecutive Steering Committee are the data sources for this calculation.\n\nFindings\n\nWe did not identify any significant findings related to the internal controls, data reliability,\naccuracy of presentation, meaningfulness, or disclosure of the information related to this\nindicator contained in the PAR.\n\n\n\n\n9\n    Id. p. 99.\n10\n     Id. p. 99.\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)                  3\n\x0cImprove workload information using Social Security Unified Measurement\nSystems (SUMS)\n\nIndicator Background\n\n         "The Agency has recognized the need to improve the quality, consistency and\n         access to information that is used by managers and analysts throughout SSA to\n         manage work and account for resources. The objective of SUMS is to create a\n         system for SSA operational components that counts and measures all work in a\n         consistent manner regardless of where the work is processed. This system\n         provides access to information needed to meet changing business requirements,\n         support process reviews and comply with government standards. Access to web\n         based reports and workload control listings and other information are available\n         on demand, eliminating the need for paper reports."11\n\nSUMS is considered a key enabler in monitoring and reporting on SSA\'s progress\ntoward achieving its strategic goals and objectives and tracking resource expenditures.\nThe objective of this system is to count and to measure work in a consistent manner at\nall organizational levels. It provides the detailed information that managers need to\nmonitor service, forecast workloads, and make informed decisions on how best to\nmanage work and resources.12\n\n\nPerformance Indicator Calculation\n\n\n\n                                         A methodology which weights individual\n                                         projects to create a combined percentage\n                                         used to track the overall completion of this\n                                         initiative. Completion percentages are also\n         Performance %\n                                   =     attributed to cross cutting projects, including\n                                         Time Allocation and the Customer\n                                         Service Record to derive an overall SUMS\n                                         completion percentage.13\n\n\nThe SUMS/MCAS project plan tracking and releases as reported to the SUMS/MCAS\nExecutive Steering Committee are the data sources for this calculation.\n\n\n\n\n11\n   Id. p. 84.\n12\n   Id. p. 35.\n13\n   Id. p. 84.\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)               4\n\x0cFindings\n\nWe did not identify any significant findings related to the internal controls, data reliability,\naccuracy of presentation, meaningfulness, or disclosure of the information related to this\nindicator contained in the PAR.\n\nMaintain zero outside infiltrations of SSA\'s programmatic mainframes\n\nIndicator Background\n\nSSA maintains an Intrusion Protection Team (IPT) specifically created to prevent\noutside infiltrations of systems. The IPT uses numerous software tools to immediately\ndetect attempts to infiltrate SSA\xe2\x80\x99s network and underlying systems. Additionally,\nsoftware controls at all levels of SSA systems are used to prevent unauthorized access\nto SSA systems.\n\nSSA created this performance indicator to document the Agency\xe2\x80\x99s success in protecting\nthe mainframe computers, on which SSA\xe2\x80\x99s sensitive programmatic data resides.\nAccording to SSA security management and the PAR, the indicator is intended to\nmeasure infiltrations from outside of SSA, and not infiltrations from authorized internal\nusers who manage to elevate their privileges and perform unauthorized actions. In\naddition, an infiltration is further defined as \xe2\x80\x9c\xe2\x80\xa6unauthorized access that requires a\ncleanup or restoration of backup files to a state prior to the infiltration.\xe2\x80\x9d14 Also the\nindicator is intended to only measure infiltrations of the mainframe computers.\nInfiltrations that are related to non-mainframe systems, including SSA\xe2\x80\x99s Intranet,\nnetwork, and distributed systems are excluded for reporting purposes within this\nindicator.\n\nPerformance Indicator Calculation\n\n\n\n                                                 Count of the times that Mainframe\n                                           =     Infiltrations are detected from the\n        Total Mainframe Infiltrations\n                                                 period of October 1, 2004 to\n                                                 September 30, 2005.\n\n\nThe count of mainframe infiltrations is maintained in the Change Asset and Problem\nReporting System (CAPRS).\n\n\n\n\n14\n     Id. p. 99.\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)                  5\n\x0cFindings\n\nInternal Controls and Data Reliability\n\nWe found the policies and procedures related to the formal process to capture, store,\nand calculate the results of the performance indicator were not adequate. The\ndocumentation did not accurately describe the process in place during FY 2005 and all\ncomponents of the indicator calculation were not included. Office of Management and\nBudget (OMB) Circular A-123, Management Accountability and Control, requires,\n"...documentation for transactions, management controls, and other significant events\nmust be clear and readily available for examination. \xe2\x80\xa6"15\n\nIt should be noted that SSA management was in the process of updating the\ndocumentation related to this indicator during the time of the audit. As the calculation of\nthis indicator is not based on computerized data, we did not complete an analysis of\ndata reliability.\n\nAccuracy of PAR Presentation and Disclosure\n\nThe intent of the indicator is to highlight SSA\xe2\x80\x99s success in preventing mainframe\ninfiltrations. We believe this is an important goal and its success is very relevant to the\nAgency. However, it is not possible to state that undetected infiltrations did not occur.\nTherefore, management cannot measure or fully assert that an outside infiltration has\nnot occurred.\n\nWe also noted inconsistencies in the descriptions of the indicator. Based on the title of\nthe indicator, internal infiltrations would not be included in the calculation of this\nindicator; however, the definition, as described in the FY 2005 PAR, is unclear with\nregard to inclusion of internal infiltrations:\n\n       An infiltration is an unauthorized access that requires a cleanup or\n       restoration of back-up files to a state prior to the infiltration. This measure\n       is a count of the number of times that an infiltration of mainframes is\n       detected.16 (emphasis added)\n\n\n\n\n15\n   OMB Circular A-123, Attachment II, Establishing Management Controls, June 21, 1995. Note: OMB\nCircular A-123 Revised December 21, 2004, did not become effective until FY 2006 and therefore was\nnot in place during the time period of the review.\n16\n   SSA, PAR FY 2005 p. 99.\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)                         6\n\x0cFinally, we believe that the data definition too narrowly defines a mainframe infiltration\nand could omit important events such as unauthorized access which results in\ndisclosure of sensitive SSA information or misuse of data that occurs but does not\nrequire clean up or restoration activities. The Federal Information Processing\nStandards Publication (FIPS PUB) 200 defines an incident as\n\n        An occurrence that actually or potentially jeopardizes the confidentiality,\n        integrity, or availability of an information system or the information the\n        system processes, stores, or transmits or that constitutes a violation or\n        imminent threat of violation of security policies, security procedures, or\n        acceptable use policies.17\n\nAdditionally, the indicator excludes infiltrations of SSA\xe2\x80\x99s Intranet, network and\ndistributed systems which maintain important Agency information.\n\nPerformance Indicator Meaningfulness\n\nSSA management does not provide a clear statement in the PAR of how preventing\noutside infiltrations of the mainframe relates to the Agency goal \xe2\x80\x9cTo ensure superior\nStewardship of Social Security programs and resources,\xe2\x80\x9d or the Agency objective of\n\xe2\x80\x9cEfficiently manage Agency finances and assets, and effectively link resources to\nperformance outcomes.\xe2\x80\x9d\n\nCONCLUSION AND RECOMMENDATIONS\n\nSSA management indicated that the performance indicator \xe2\x80\x9cMaintain Zero Outside\nInfiltrations of SSA\xe2\x80\x99s Programmatic Mainframes\xe2\x80\x9d will be significantly updated in the 2006\nPAR. As such we recommend SSA:\n\n     1. Document the policies and procedures used to prepare and disclose the results\n        of the performance indicator.\n\n     2. Ensure the performance indicator definitions and reported results are meaningful,\n        complete, and consistent with the title by:\n              Clearly documenting the inclusion or exclusion of internal infiltrations in\n              the calculation of the indicator results;\n\n               Revising the performance indicator results to clarify that it measures only\n               detected infiltrations. As an example, the indicator actual performance\n               results could be documented as follows:\n\n             Zero outside infiltrations of SSA\xe2\x80\x99s programmatic mainframes were detected.\n\n\n17\n FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems,\nMarch 2006, p. 7.\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)                    7\n\x0c              Broadening the indicator data definition to include infiltrations resulting in\n              disclosure or misuse of sensitive SSA data; and,\n\n              Expanding the calculation of indicator results to include infiltrations of the\n              Agency\'s intranet, network, and distributed systems.\n\n   3. Articulate and disclose the linkage of the performance indicator to the Agency\xe2\x80\x99s\n      strategic goals and objectives.\n\nAGENCY COMMENTS\nSSA agreed with our recommendations. See Appendix D for the Agency\xe2\x80\x99s comments.\n\n\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)                   8\n\x0c                                          Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Process Flowcharts\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\n\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)\n\x0c                                                                       Appendix A\nAcronyms\n APP         Annual Performance Plan\n CAPRS       Change Asset and Problem Reporting System\n DCS         Deputy Commissioner of Systems\n DMZ         Demilitarized Zone\n US-CERT     United States Computer Emergency Readiness Team\n FIPS PUB    Federal Information Processing Standards Publication\n FY          Fiscal Year\n GPRA        Government Performance and Results Act\n IPT         Intrusion Protection Team\n MCAS        Managerial Cost Accountability System\n OCIO        Office of Chief Information Officer\n OCSO        Office of the Chief Strategic Officer\n PAR         Performance and Accountability Report\n SSA         Social Security Administration\n SRT         Security Response Team\n SUMS        Social Security Unified Measurement System\n VPN         Virtual Private Network\n\n\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)\n\x0c                                                                       Appendix B\nScope and Methodology\nWe updated our understanding of the Social Security Administration\xe2\x80\x99s (SSA)\nGovernment Performance and Results Act (GPRA) processes. This was completed\nthrough research and inquiry of SSA management. We also requested SSA to provide\nvarious documents regarding the specific programs being measured as well as the\nspecific measurement used to assess the effectiveness and efficiency of the related\nprogram.\n\nThrough inquiry, observation, and other substantive testing, including testing of source\ndocumentation, we performed the following:\n\n   \xe2\x80\xa2   Reviewed prior SSA, Government Accountability Office, and other reports related\n       to SSA GPRA performance and related information systems.\n   \xe2\x80\xa2   Reviewed applicable laws, regulations and SSA policy.\n   \xe2\x80\xa2   Met with the appropriate SSA personnel to confirm our understanding of each\n       individual performance indicator.\n   \xe2\x80\xa2   Flowcharted the processes. (See Appendix C).\n   \xe2\x80\xa2   Tested key controls related to manual or basic computerized processes (e.g.,\n       spreadsheets, databases, etc.).\n   \xe2\x80\xa2   Conducted and evaluated tests of the automated and manual controls within and\n       surrounding each of the critical applications to determine whether the tested\n       controls were adequate to provide and maintain reliable data to be used when\n       measuring the specific indicator.\n   \xe2\x80\xa2   Identified attributes, rules, and assumptions for each defined data element or\n       source document.\n   \xe2\x80\xa2   Recalculated the metric or algorithm of key performance indicators to ensure\n       mathematical accuracy.\n   \xe2\x80\xa2   For those indicators with results that SSA determined using computerized data,\n       we assessed the completeness and accuracy of that data to determine the data\'s\n       reliability as it pertains to the objectives of the audit.\n\nAs part of this audit, we documented our understanding, as conveyed to us by Agency\npersonnel, of the alignment of the Agency\xe2\x80\x99s mission, goals, objectives, processes, and\nrelated performance indicators. We analyzed how these processes interacted with\nrelated processes within SSA and the existing measurement systems. Our\nunderstanding of the Agency\xe2\x80\x99s mission, goals, objectives, and processes were used to\ndetermine if the performance indicators being used appear to be valid and appropriate\ngiven our understanding of SSA\xe2\x80\x99s mission, goals, objectives and processes.\n\nWe followed all performance audit standards in accordance with generally accepted\ngovernment auditing standards. In addition to the steps above, we specifically\nperformed the following to test the indicators included in this report:\n\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)          B-1\n\x0cMANAGEMENT INFORMATION SYSTEMS, MANAGEMENT COST\nACCOUNTABILITY SYSTEMS (MCAS) AND SOCIAL SECURITY\nUNIFIED MEASUREMENT SYSTEMS (SUMS)\n\n   \xe2\x80\xa2   Reviewed documentation related to project development, implementation and\n       management activities.\n   \xe2\x80\xa2   Reviewed the projects to determine whether they were developed in accordance\n       with Agency policies regarding application software development.\n   \xe2\x80\xa2   Reviewed each of the projects and, as applicable, found they were released into\n       production during the time frame reported in the Fiscal Year 2005 Performance\n       and Accountability Report by obtaining their software release documentation\n       and/or observing the use of the system in production.\n\nMAINTAIN ZERO OUTSIDE INFILTRATIONS OF SSA\xe2\x80\x99S\nPROGRAMMATIC MAINFRAMES\n\n   \xe2\x80\xa2   Assessed the reliability of the data by inquiring of appropriate personnel as to the\n       sources of the data included on, and the process for reviewing, the United States\n       Computer Emergency Readiness Team (US-CERT) reports.\n   \xe2\x80\xa2   Reviewed the cumulative, September 30, 2005, US-CERT report\n   \xe2\x80\xa2   Interviewed various SSA personnel (including the Intrusion Protection Team,\n       SSA Security Response Team, Chief Security Officer, Virtual Private Network\n       and Modems Administration and Support teams, Top Secret Administrators and\n       Security Officer) responsible for protecting the mainframe to gain an\n       understanding of the tools and processes implemented to protect, monitor and\n       report on SSA\xe2\x80\x99s systems security.\n   \xe2\x80\xa2   Performed (during SSA\xe2\x80\x99s FY 2005 Financial Statement Audit) penetration testing,\n       firewall assessments, mainframe operating system and Top Secret configuration\n       reviews.\n\n\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)            B-2\n\x0c                                                                               Appendix C\n\nFlowchart of Management Information Systems, MCAS and\nSUMS\n\n\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)           C-1\n\x0cManagement Information Systems, MCAS and SUMS\n\n\xe2\x80\xa2   Portions of the MCAS and SUMS application were developed prior to FY 2005.\n\xe2\x80\xa2   The current year goal is reported in the APP.\n\xe2\x80\xa2   SSA management approves the goal and the APP is published.\n\xe2\x80\xa2   Each application scheduled for completion during the current year is planned, tested,\n    and completed, as appropriate.\n\xe2\x80\xa2   Each completed application is moved into production.\n\xe2\x80\xa2   Milestone completed is reported to the OCSO.\n\xe2\x80\xa2   The percent complete of the overall goal is updated to reflect the application that has\n    been completed and is in production.\n\xe2\x80\xa2   Meetings are held to discuss overall progress of projects as well as deviations which\n    are included on the monthly tracking report. These meetings include: Bi-weekly\n    project manger meetings, Monthly Executive Steering Committee Meeting, Monthly\n    meeting with the DCS, Monthly Executive Staff meeting with the Commissioner.\n\xe2\x80\xa2   Updated completion calculation is reported in the PAR for the MCAS and SUMS\n    indicators.\n\n\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)           C-2\n\x0cFlowchart of Mainframe Protection\n\n\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)   C-3\n\x0cMainframe Protection\n\n\xe2\x80\xa2   Activity occurs through outside points of entry. This includes the VPN and vendor\n    access.\n\xe2\x80\xa2   SSA and IBM monitor port settings (including remote access points), the Internet\n    firewalls, the Intranet, and the DMZ.\n\xe2\x80\xa2   Is activity unusual or suspicious?\n             o No - No action is taken.\n             o Yes - Alert is forwarded to the IPT.\n\xe2\x80\xa2   CAPRS ticket is created by IPT and/or SRT.\n\xe2\x80\xa2   Did mainframe infiltration occur?\n             o No - Document activity noted from the alert and reasoning behind decision\n                 in CAPRS and close ticket.\n             o Yes - Mainframe infiltration is contained and received by IPT and CAPRS\n                 ticket is closed.\n\xe2\x80\xa2   Risk Management Program personnel, IPT, and SRT meet with management to\n    discuss security of SSA systems on a monthly basis. In addition, a monthly incident\n    report is produced for management and US-CERT.\n\xe2\x80\xa2   Infiltration included on US-CERT report; if no infiltrations are noted, this is recorded\n    on the report.\n\xe2\x80\xa2   OCIO provides the number of mainframe infiltrations detected to OCSO on a\n    monthly basis and at year end.\n\xe2\x80\xa2   Results of the indicator are reported in the PAR on an annual basis.\n\n\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)             C-4\n\x0c                                                                       Appendix D\n\nAgency Comments\n\n\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      September 5, 2006                                                    Refer To: S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      Larry W. Dye /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cPerformance Indicator Audit:\n           Management Information Systems and Mainframe Protection\xe2\x80\x9d (A-15-06-16112)--\n           INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report are\n           attached.\n\n           Please let me know if you have any questions. Staff inquiries may be directed to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.\n\n           Attachment:\n           SSA Comments\n\n\n\n\n           PIA: Management Information Systems and Mainframe Protection (A-15-06-16112)                  D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL\xe2\x80\x99S (OIG) DRAFT\nREPORT, \xe2\x80\x9cPERFORMANCE INDICATOR AUDIT: MANAGEMENT INFORMATION\nSYSTEMS AND MAINFRAME PROTECTION\xe2\x80\x9d (A-15-06-16112)\n\nThank you for the opportunity to review and provide comments on this draft report. The report\nnotes that the auditors did not identify any significant findings related to two of the three\nperformance indicators included in this audit: "Enhance efforts to improve financial performance\nusing the Managerial Cost Accountability System" and "Improve workload information using\nSocial Security Unified Measurement System." However, the report includes significant\nfindings related to the performance indicator "Maintain zero outside infiltrations of SSA\'s\nprogrammatic mainframes."\n\nWe are reviewing the performance indicator \xe2\x80\x9cMaintain Zero Infiltrations of SSA\xe2\x80\x99s Programmatic\nMainframes,\xe2\x80\x9d as well as the data definition and the linkage of the indicator to the Agency\xe2\x80\x99s\nGoals and Objectives. In this regard, we are taking an in-depth look at the existing tools and\ntechniques to determine the Agency\xe2\x80\x99s ability to monitor, record and report meaningful\nmeasurements to include infiltrations of the Agency\xe2\x80\x99s intranet, network and distributed systems.\n\nWe have the following comments on the report\xe2\x80\x99s recommendations.\n\nRecommendation 1\n\nDocument the policies and procedures used to prepare and disclose the results of the\nperformance indicator.\n\nComment\n\nWe agree. We documented the policies and procedures used to prepare and disclose the results\nof the performance indicator and provided them to OIG and PricewaterhouseCoopers (PwC).\nPwC indicated the policies and procedures sufficiently document the processes.\n\nRecommendation 2\n\nEnsure the performance indicator definitions and reported results are meaningful, complete, and\nconsistent with the title by:\n       - Clearly documenting the inclusion or exclusion of internal infiltrations in the calculation\n       of the indicator results;\n       - Revising the performance indicator results to clarify that it measures only detected\n       infiltrations. As an example, the indicator actual performance results could be\n       documented as follows:\n       Zero outside infiltrations of SSA\xe2\x80\x99s programmatic mainframes were detected.\n       - Broadening the indicator data definition to include infiltrations resulting in disclosure or\n       misuse of sensitive SSA data; and,\n       - Expanding the calculation of indicator results to include infiltrations of the Agency\'s\n       intranet, network, and distributed systems.\n\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)                     D-2\n\x0cComment\n\nThis recommendation contains 4-items. We agree with the first item and are performing an in-\ndepth review to ensure the performance indicator definitions and reported results are meaningful,\ncomplete and consistent.\n\nWe also agree with the second item included in this recommendation. We are revising the\nperformance indicator to clarify that it measures only detected infiltrations.\n\nRegarding the third item included in this recommendation, we are determining the technical\naspects and feasibility of including infiltrations resulting in disclosure or misuse of sensitive\ndata. Currently, we are unsure of the available methodologies, tools and techniques. If this\nsection of the recommendation cannot be implemented using the existing processes, an\nevaluation and cost analysis will be required.\n\nAbout the fourth item included in this recommendation, we are determining if, using existing\ntechnologies, methodologies and tools, the results can be measured to include infiltrations of the\nAgency\xe2\x80\x99s intranet, network and distributed systems. If this section of the recommendation\ncannot be implemented using the existing processes, this will also require an evaluation and cost\nanalysis.\n\nRecommendation 3\n\nArticulate and disclose the linkage of the performance indicator to the Agency\xe2\x80\x99s strategic goals\nand objectives.\n\nComment\n\nWe agree. We will update the Performance and Accountability Report and Information\nResources Management plan to articulate the linkage of the performance indicator to the\nAgency\xe2\x80\x99s strategic goals and objectives.\n\n[In addition to the comments above, SSA provided a technical comment, which has been\naddressed in the final report.]\n\n\n\n\nPIA: Management Information Systems and Mainframe Protection (A-15-06-16112)                        D-3\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'